I'm trying to protect my images from hotlinking. My first approach was this:
location ~* \.(png|jpg)$ {
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
}
The problem here is the none tag, because if you enter a url directly there is no referer. So every website could still show my images if a user enters the url directly. So i removed the none tag and surprisingly it's still working on my website.
If I enter my url directly it's still working. But why?
Now my referer is empty but I can still see my images. It definitely works because of the server_names tag but as far I understand the server_names means that if someone has my server name in the referer they could show my images. But If I enter my URL directly I don't have a referer.
Can someone explain this to me?